Quantcast
Channel: FortiGate – Fortinet Cookbook
Viewing all 61 articles
Browse latest View live

Multi-realm SSL VPN tunnel

November 24, 2015, 10:15 am
$
0
0

In this recipe you will learn how to create a simple multi-realm SSL VPN tunnel that provides different portals for different user groups. You will create the necessary user definitions and configure the SSL VPN portals, settings, and policies.

In the example, user ckent has full-access to both the web portal and tunnel mode, while user dprince has web-only access. Mozilla Firefox and the FortiClient application will test the tunnel’s accessibility.

The recipe assumes that a local interface has already been configured on the FortiGate, and that SSL-VPN Realms is enabled in the Features store (System > Config > Features).

1. Creating the users and user groups

Go to User & Device > User > User Groups and create separate user groups for web-only and full-access portals.

Add a user (in the example, ckent) to the user group for full-access SSL VPN connections.
Add a user (in the example, dprince) to the user group for web-only SSL VPN connections.

2. Configuring the SSL VPN realms
Go to VPN > SSL > Realms and configure two realms; one for each user group.
.
The URL shown is the address you will later enter into the web browser to test and connect to the web portals.

3. Configuring the SSL VPN tunnel
 

Go to VPN > SSL > Settings and set Listen on Interface(s) to wan1.

Set Listen on Port to 10443 and Specify custom IP ranges in the SSLVPN_TUNNEL_ADDR1 range.

Under Authentication/Portal Mapping, add the SSL VPN user groups created previously.

Add the WebOnlyGroup to the web-access portal, and add the FullAccessGroup to the full-access portal.

Set the Realm accordingly for each portal mapping.

4. Configuring the multi-realm SSL VPN policy

Go to Policy & Objects > Policy > IPv4 and add a security policy allowing access to the internal network.

Set Incoming Interface to ssl.root.

Set Source Address to all and add the Source User groups you created.
  

Set Outgoing Interface to the local network interface so that the remote users can access the internal network.

Set Destination Address to all, enable NAT, and configure any remaining firewall and security options as desired.

5. Results – Testing the web portal
To test the results of this configuration you must check the tunnel availability against the user groups assigned (and not assigned) to them.

To begin, use your web browser and navigate to the SSL VPN web portal for the web-only access group. In this case, the portal is located at
https://172.20.121.56:10443/web

Attempt to log into this portal first using the web-only user dprince. Log out after a successful attempt. Note how Tunnel Mode does not appear for the web-only user.

Upon logging out, attempt to connect to this portal again using the full-access group user ckent. Permission should be denied.
.

Next, attempt to log into the full-access portal, in this case located at
https://172.20.121.56:10443/full.

If you attempt to log in with user dprince, permission should be denied.

Log in successfully with user ckent. Tunnel Mode is now active with a successful connection.

Note that Tunnel Mode does not work on Google Chrome. If Tunnel Mode does not successfully connect, and you are using a compatible browser, you may need to update your FortiClient plugin.

Log out when you are satisfied with the full-access portal.
.

6. Results – Testing the FortiClient tunnel
Next, you will use the FortiClient standalone application to test the tunnel’s accessibility for each user group. Only user ckent should have access to this tunnel.

Open FortiClient and begin by creating a new SSL VPN tunnel.

Set Remote Gateway to the Internet-facing interface on the FortiGate.

Set Customize port to 10443 and Apply your changes.
Attempt to connect to this new tunnel using the web-only user dprince.
Permission should be denied.
Next, attempt to connect to the tunnel using the full-access user ckent.
Connection should be successful.  

7. Results – Logging and monitoring
Go to Log & Report > Traffic Log > Forward Traffic to view the details for the SSL entries.
Go to VPN > Monitor > SSL-VPN Monitor to verify the connection type and status.

8. Troubleshooting

If you’re having difficulty with this configuration, you can attempt to troubleshoot the SSL VPN. 

Go to System > Dashboard > Status and enter the commands shown here using the CLI Console and then attempt to connect to the tunnel.

 
diagnose debug disable
diagnose debug reset
diagnose debug application sslvpn -1
diagnose debug enable

For further reading, check out Basic SSL VPN configuration in the FortiOS 5.2 Handbook.

The post Multi-realm SSL VPN tunnel appeared first on Fortinet Cookbook.

Search

Viewing the FortiGate or FortiExtender Modem List

January 4, 2016, 11:30 pm
$
0
0

This article shows how to view the most recent version of the supported modem list for FortiGate or FortiExtender.

These lists depend on the modem database version, not the version of FortiOS used. The examples shown in this article use screenshots from FortiOS 5.4, but they are also accurate for FortiOS 5.2. Any differences are listed with an asterisk, like this:

You can find a list of supported modems in our Fortinet reference manuals:

You can also view the modem lists in the FortiGate interface by enabling either the modem interface or FortiExtender.

Method 1: Viewing the FortiGate/FortiExtender Modem List

A FortiGate 100D running 5.4 (Interim build) was used in this example.

1. Enabling the FortiGate modem interface

The modem configuration is hidden in the FortiGate GUI by default. Enter the CLI commands shown on the right to enable it. 

Log in and out to refresh the GUI page.

 

 
config system modem
 set status enable
end

2. Viewing the supported modem lists
Go to Network > Modem and select Configure Modem.  
Click the FortiGuard button to get the latest version of the supported modem lists, and then select the plus button to expand either list. 

 

  

Method 2: Viewing the FortiExtender Modem List

After connecting the FortiExtender to the FortiGate using a QuickStart guide, follow the example below. 

A FortiExtender 100B and a FortiGate 100D running a 5.4 (Interim build) were used in this example.

1. Enabling the FortiGate to show FortiExtender configurations

Enable the Control And Provisioning of Wireless Access Points (CAPWAP) on the port which the FortiExtender is connected to. This allows the FortiExtender to communicate with the FortiGate using CAPWAP. Enter the following CLI commands:

 

 
config system interface
 edit [port]
  append allowaccess capwap
end

The FortiExtender configuration is hidden in the FortiGate GUI by default. Enter the following CLI commands to enable it:

 
config system global
 set fortiextender enable
 set wireless-controller enable
end
Go to System > Feature Select and enable FortiExtender features.  

2. Authorizing the FortiExtender
Go to Network > FortiExtender and set the Interface Name to the port the FortiExtender is connected to. Select Authorize.

 

  

3. Viewing the supported modem lists

Go to Network > FortiExtender select Configure Settings.

  

Select Supported Modems to go to the supported modem lists.

Click the FortiGuard button to get the latest version of the supported modem lists, and then select the plus button to expand either list.

For further reading, check out Modem in the FortiOS 5.2 Handbook.

<FortiOS 5.2 notes will appear here>
This feature allows you to use the FortiExtender to connect your FortiGate to a 3G/4G Wireless network.
This step is not necessary in FortiOS 5.2.
In FortiOS 5.2, click the Update Now button and then select the triangle button to expand either list.

The post Viewing the FortiGate or FortiExtender Modem List appeared first on Fortinet Cookbook.

Integrating a FortiGate with FortiClient EMS

March 17, 2016, 9:00 am
$
0
0

In this recipe, you will learn how to integrate a FortiGate with FortiClient Endpoint Management Server (EMS) and your Active Directory server to protect the devices or endpoints on your network. Using this Internal Segmentation Firewall (ISFW) configuration you can relatively easily deploy and manage FortiClient to protect all of the endpoints on your network.

FortiClient EMS supports ISFW by simplifying FortiClient deployment and by providing endpoint management from a single console. FortiClient EMS helps to provide real-time control and visibility into your endpoints when they are both on and off corporate networks.

In FortiGate Integrated mode, FortiClient EMS deploys the endpoint clients while an integrated FortiGate running FortiOS 5.4 handles Network Access Control (NAC) and policy enforcement.

For more information on FortiClient EMS, please refer to the FortiClient EMS Administration Guide.

1. Configuring FortiClient EMS

In the FortiClient EMS Dashboard, go to Endpoints > Domains and select the Add a new domain button.

In the Domain Settings window, enter the Active Directory server information.

Test the connection, and then select Save.

Select the new domain in the Domains list to view the Client Details and FortiClient Information.

Go to View > Settings.

Enter and confirm a FortiHeartBeat Connection Key and enable Scan Local Workgroups. Make note of the FortiHeartBeat Connection Key.

Also note the FortiClient Download URL.

Save your changes.

 

2. (Optional) Importing Endpoint Profiles into FortiClient EMS
If you have previously configured Endpoint Profiles on a FortiGate and you wish to import them into FortiClient EMS, follow the instructions below.  
Navigate to the Endpoint Profiles list on the left pane and click on the Import profile from FortiGate icon.
Enter the FortiGate IP/Hostname and valid administrator credentials and click Next.
You can assign a profile to a Domain or Workgroup by right-clicking on it and selecting Assign profile.

3. Enabling and enforcing FortiHeartBeat on the FortiGate

On the FortiGate, go to Network > Interfaces and edit the internal interface.

Under Restrict Access, enable FortiHeartBeat.

Scroll down to Admission Control and enable Enforce FortiHeartBeat for all FortiClients.

4. (Optional) FortiClient installer configuration

With the above configuration, devices on the internal network that aren’t registered with FortiClient are presented with an Endpoint Security Required page that includes a download link to the FortiClient application on the FortiGate. You can customize the FortiClient download installer link to use the EMS installer link instead.

On the FortiGate, go to System > Replacement Messages, switch to the Extended View, and edit the Endpoint Control replacement message for the appropriate endpoints.

You can also customize the installer itself in FortiClient EMS.

Go to View > Software Manager and +Add a custom installer.

Configure the installer as desired, then select Save.

5. Results

When a device on the internal network that isn’t registered with FortiClient attempts to connect to the Internet, or access other services behind the FortiGate, the user of that device is presented with an Endpoint Security Required page that includes a download link to the FortiClient application.

When the user downloads and installs FortiClient, they are prompted for registration. 

Enter the Registration Key and select Accept.

Note that the Registration Key matches the FortiHeartBeat Connection Key entered in Step 1.

The FortiClient then registers to the FortiGate (or FortiClient EMS, depending on the installation) and downloads a configuration update from FortiClient EMS.

The registered endpoint now has access to the Internet and network services as defined by NAC and policy enforcement on the FortiGate.

The registration information and FortiClient profile configuration can be verified in the FortiClient window.
To view the details of registered endpoints on FortiClient EMS, select Endpoints from the left pane.
Highlight one of the endpoints in the All Endpoints list to view Client Details.

To view the details of registered endpoints on the FortiGate, go to one of the following:

FortiView > Sources
(Double-click the item in the list to drill down to greater detail.)

User & Device > Device List

Monitor > FortiClient Monitor

 

This key will be required for the FortiClient endpoint to register.
You can also Exempt Sources (such as non-FortiClient supported devices—routers, printers, Linux devices) and/or Exempt Destinations/Services (such as the EMS server itself, if necessary). When you exempt a source or destination, it does not require FortiClient registration to access network services or the Internet.

The post Integrating a FortiGate with FortiClient EMS appeared first on Fortinet Cookbook.

FortiAuthenticator as a Certificate Authority

April 19, 2016, 7:00 am
$
0
0

For this recipe, you will configure the FortiAuthenticator as a Certificate Authority (CA). This will allow the FortiAuthenticator to sign certificates that the FortiGate will use to secure administrator GUI access.

This scenario includes creating a certificate request on the FortiGate, downloading the certificate to the network’s computers, and then importing it to the FortiAuthenticator. You will sign the certificate with the FortiAuthenticator’s own certificate, then download and import the signed certificate back to the FortiGate.

The process of downloading the certificate to the network’s computers will depend on which web browser you use. Internet Explorer and Chrome use one certificate store, while Firefox uses another. This configuration includes both methods.

1. Creating a new CA on the FortiAuthenticator

On the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs and create a new CA.

Enter a Certificate ID, select Root CA certificate, and configure the key options as shown in the example.

Once created, highlight the certificate and select Export.

This will save a .crt file to your local drive.

2. Installing the CA on the network
The certificate must now be installed on the computers in your network as a trusted root CA. The steps below show different methods of installing the certificate, depending on your browser.

Internet Explorer and Chrome

In Windows Explorer, right-click on the certificate and select Install Certificate. Open the certificate and follow the Certificate Import Wizard.

Make sure to place the certificate in the Trusted Root Certification Authorities store.

Finish the Wizard, and select Yes to confirm and install the certificate.

Firefox

In the web browser, go to Options > Advanced > Certificates and select View Certificates.

In the Authorities tab, select Import.

Find and open the root certificate.

You will be asked what purposes the certificate will be trusted to identify. Select all options, and select OK.

3. Creating a CSR on the FortiGate

On the FortiGate, go to System > Certificates and select Generate to create a new certificate signing request (CSR).

Enter a Certificate Name, the Internet facing IP address of the FortiGate, and a valid email address, then configure the key options as shown in the example.

Once created, the certificate will show a Status of Pending. Highlight the certificate and select Download.

This will save a .csr file to your local drive.

4. Importing and signing the CSR on the FortiAuthenticator

Back on the FortiAuthenticator, go to Certificate Management > End Entities > Users and import the .csr certificate created earlier.

Make sure to select the Certificate authority from the dropdown menu and set the Hash algorithm to SHA-256, as configured earlier.

Once imported, you should see that the certificate has been signed by the FortiAuthenticator, with a Status of Active. Highlight the certificate and select Export Certificate.

This will save a .cer file to your local drive.

5. Importing the local certificate to the FortiGate

Back on the FortiGate, go to System > Certificates and select Local Certificate from the Import dropdown menu.

Browse to the .cer certificate you just created. Select Open and then select OK.

You should now see that the certificate’s Status has changed from Pending to OK. You may have to refresh your page to see the status change.

6. Configuring the certificate for the GUI

Go to System > Admin > Settings.

Under Administration Settings, set HTTPS server certificate to the certificate created/signed earlier, then select Apply.

7. Results

Close and reopen your browser, and go to the FortiGate admin login page. If you click on the lock icon next to the address bar, you should see that the certificate has been signed and verified by the FortiAuthenticator. As a result, no certificate errors will appear.

The post FortiAuthenticator as a Certificate Authority appeared first on Fortinet Cookbook.

FortiAuthenticator certificate for SSL inspection

April 28, 2016, 8:00 am
$
0
0

For this recipe, you will create a certificate on the FortiGate, have it signed on the FortiAuthenticator, and configure the FortiGate so that the certificate can be used for SSL deep inspection of HTTPS traffic.

Note that, for this configuration to work correctly, the FortiAuthenticator must be configured as a certificate authority (CA), otherwise the certificate created in this recipe will not be trusted. For more information on how to do this, see FortiAuthenticator as a Certificate Authority.

This scenario includes creating a certificate signing request (CSR), signing the certificate on the FortiAuthenticator, and downloading the signed certificate back to the FortiGate. You will then create an SSL/SSH Inspection profile for full SSL inspection, add the certificate created to the profile, and apply the profile to the policy allowing Internet access.

As an example, you will also have Application Control with Deep Inspection of Cloud Applications enabled. This will apply inspection to HTTPS traffic. Note that you may use another security profile instead of Application Control.

1. Creating a CSR on the FortiGate

On the FortiGate, go to System > Certificates and select Generate to create a new CSR.

Enter a Certificate Name (Ramtops), the public IP of the FortiGate (172.20.121.92), and a valid email address.

Make sure to set Key Type to RSA and Key Size to 2048 Bit. This will ensure the certificate is securely encrypted.

Once created, the certificate Ramtops will show a Status of Pending. Highlight Ramtops and select Download.

This will save a .csr file to your local drive.

2. Creating an Intermediate CA on the FortiAuthenticator

On the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs and select Import.

Set Type to CSR to sign, enter a Certificate ID, and import the Ramtops.csr file. Make sure to select the Certificate authority from the dropdown menu and set the Hash algorithm to SHA-256.

Once imported, you should see that Ramtops has been signed by the FortiAuthenticator, showing a Status of Active, and with the CA Type of Intermediate (non-signing) CA. Highlight the certificate and select Export.

This will save a .crt file to your local drive.

3. Importing the signed certificate on the FortiGate

Back on the FortiGate, go to System > Certificates and select Local Certificate from the Import dropdown menu.

Browse to the Ramtops.crt file and select OK.

 

You should now see that Ramtops has a Status of OK.

4. Configuring Application Control

Go to Security Profiles > Application Control and edit the default profile.

Under Options, enable Deep Inspection of Cloud Applications.

5. Configuring full SSL inspection

Go to Policy & Objects > Policy > SSL/SSH Inspection and create a new profile.

Enter a Name, select Ramtops from the CA Certificate dropdown menu, and make sure Inspection Method is set to Full SSL Inspection.

Next go to Policy & Objects > Policy > IPv4 and edit the policy that allows Internet access.

Under Security Profiles, enable SSL/SSH Inspection and select the ramtops profile created earlier.

Enable Application Control and set it to default.

6. Results

To test the certificate, open your web browser and attempt to navigate to an HTTPS website (in the example, https://www.dropbox.com).

If you click on the lock icon next to the address bar, you should now see that the certificate from the FortiGate (172.20.121.92) has signed and verified access to the site. As a result, no certificate errors will appear.

The post FortiAuthenticator certificate for SSL inspection appeared first on Fortinet Cookbook.

Captive Portal WiFi Access with FortiToken-200 (Video)

May 12, 2016, 9:19 am

IPsec VPN Two-Factor Authentication with FortiToken (Video)

June 6, 2016, 7:09 am
$
0
0

In this video, you will configure two-factor authentication using FortiToken for IPsec VPN connections. You will add a FortiToken-200 to the FortiGate, assign the token to the user, and add the user to the group. You will then use the Wizard to create an IPsec VPN tunnel that allows FortiToken-200 users to securely access an internal network and the Internet. You will test the setup by having the user access the VPN from a remote device, using FortiClient.

The recipe for this video is available here.

Watch more videos

The post IPsec VPN Two-Factor Authentication with FortiToken (Video) appeared first on Fortinet Cookbook.

WiFi with WSSO using Windows NPS and Attributes

August 8, 2016, 4:00 pm
$
0
0

This is an example of wireless single sign-on (WSSO) with a FortiGate. The WiFi users are students at a school. They belong to a Windows Active Directory (AD) group called WiFiAccess. The Network Policy Server (NPS) or RADIUS server performs user authentication and passes the WiFi group attribute to the FortiGate so that the appropriate security policy is applied.

There is an alternative way to setup WiFi with WSSO. To learn more about it, see WiFi with WSSO using Windows NPS and FortiGate Groups

1. Registering the FortiGate as a RADIUS client on NPS
From the NPS, right click on RADIUS Clients,  and create an entry for the FortiGate. Enter the FortiGate’s IP address. Enter the Shared secret (password).

2. Creating a Connection Request Policy
Right click Connection Request Policies under Policies and select New. Leave default values for Overview and Settings tab. Under Conditions tab, enter Client IPv4 Address as the FortiGate’s IP address.

3. Creating a Network Policy
Right click Network Policies under Policies and select New to create a new policy. Leave default values in Overview tab. In Conditions tab, click on Add, select Windows Group, then select Add. Finally Add Groups, then enter WiFiAccess, and select OK.
In Constraints tab, under Authentication Methods, click Add, then select Microsoft: Protected EAP (PEAP) then OK. Next select Microsoft Encrypted Authentication version 2 (MS-CHAP-v2), and finally select User can change password after it has expired and select OK.
In Settings tab, go to RADIUS Attributes > Vendor Specific, then click Add, select Custom under Vendor and Vendor Specific under Attributes  select Add. On Attribute Information window, click Add, type 12356 next to Enter Vendor Code, next select Yes. It conforms. Click on Configure Attribute and a new window pops upon Vendor-assigned attribute number enter 1, on Attribute format select String, and in Attribute value enter WiFi and select OK.

4. Configuring FortiGate to use the RADIUS server
On the FortiGate, go to User & Device > RADIUS Servers. Select Create New DC-RADIUS. Enter the Domain Controller IP address and the Server Secret that you entered on NPS. Optionally, you can click Test Connectivity. Enter a RADIUS user’s ID and password. The result should be “Successful”.

5. Configuring a user group on the FortiGate
Go to User & Device > User Groups. Create a group that matches the WiFi RADIUS attribute. Do not add any members or remote servers.

6. Creating an SSID with RADIUS authentication
Go to WiFi & Switch Controller > SSID. Create an SSID and set up DHCP for clients.
Set WPA2-Enterprise with RADIUS Server authentication, and choose DC-RADIUS.

7. Creating a security policy
Go to Policy & Objects > IPv4 Policy. Create a WiFi-to-Internet policy. Use WiFi group as the Source.

8. Results
Connect to the WiFi network, authenticate, and browse the Internet. Try this with a user that belongs to the WiFiAccess Windows AD Group.
Go to Monitor > Firewall User Monitor. You can see the User Name, User Group and verify that WSSO authentication Method was used.

 

The post WiFi with WSSO using Windows NPS and Attributes appeared first on Fortinet Cookbook.

Search

WiFi with WSSO using Windows NPS and FortiGate Groups

August 15, 2016, 5:19 pm
$
0
0

This is an example of wireless single sign-on (WSSO) with a FortiGate. The WiFi users are students at a school. These users belong to a Windows Active Directory (AD) group called WiFiAccess. When users enter their WiFi username and password, the FortiGate checks the local group WiFi. Since the group has been set up with remote RADIUS server, the FortiGate performs user authentication against the Network Policy Server (NPS) or RADIUS server. If the user is authenticated successfully, the FortiGate will check for a policy that allows the WiFi group access.

There is an alternative way to setup WiFi with WSSO. To learn more about it, see WiFi with WSSO using Windows NPS and Attributes

1. Registering the FortiGate as a RADIUS client on NPS
From the NPS, right click on RADIUS Clients,  and create an entry for the FortiGate. Enter the FortiGate’s IP address. Enter the Shared secret (password).

2. Creating a Connection Request Policy
Right click Connection Request Policies under Policies and select New. Leave default values for Overview and Settings tab. Under Conditions tab, enter Client IPv4 Address as the FortiGate’s IP address.

3. Creating a Network Policy
Right click Network Policies under Policies and select New to create a new policy. Leave default values in Overview tab. In Conditions tab, click on Add, select Windows Group, then select Add. Finally Add Groups, then enter WiFiAccess, and select OK.
In Constraints tab, under Authentication Methods, click Add, then select Microsoft: Protected EAP (PEAP) then OK. Next select Microsoft Encrypted Authentication version 2 (MS-CHAP-v2), and finally select User can change password after it has expired and select OK.

4. Configuring FortiGate to use the RADIUS server
On the FortiGate, go to User & Device > RADIUS Servers. Select Create New DC-RADIUS. Enter the Domain Controller IP address and the Server Secret that you entered on NPS. Optionally, you can click Test Connectivity. Enter a RADIUS user’s ID and password. The result should be “Successful”.

5. Configuring a user group on the FortiGate
Go to User & Device > User Groups. Create a group named WiFi. Click on Create New under Remote groups, then enter DC-RADIUS for Remote Server, and Any for Groups. Select OK, and OK again.

6. Creating an SSID with RADIUS authentication
Go to WiFi & Switch Controller > SSID. Create an SSID and set up DHCP for clients.
Set WPA2-Enterprise with Local authentication, and choose the local group WiFi.

7. Creating a security policy
Go to Policy & Objects > IPv4 Policy. Create a WiFi-to-Internet policy. Use WiFi group as the Source.

8. Results
Connect to the WiFi network, authenticate, and browse the Internet. Try this with a user that belongs to the WiFiAccess Windows AD Group.
Go to Monitor > Firewall User Monitor. You can see the User Name, User Group and verify that WSSO authentication Method was used.

 

The post WiFi with WSSO using Windows NPS and FortiGate Groups appeared first on Fortinet Cookbook.

IPsec VPN with native Mac OS X client

August 16, 2016, 10:45 am
$
0
0

In this recipe, you will learn how to create an IPsec VPN on a FortiGate, and connect to it using the default Mac OS X client.

This configuration allows Mac users to securely access an internal network and browse the Internet through the VPN tunnel. This recipe assumes that a user group (mac-users) has already been created.

This recipe was tested using Mac OS X El Capitan version 10.11.5.

1. Configuring the IPsec VPN using the Wizard

Go to VPN > IPsec Wizard.

Name the VPN connection, set Template Type to Remote Access, select the Cisco Client remote device type, and select Next

Set Incoming Interface to the Internet-facing interface.

Select the Pre-shared Key authentication method and enter a pre-shared key.

Apply the appropriate User Group and select Next.

Set Local Interface to the internal interface and set Local Address to all.

Enter a Client Address Range for VPN users and select Create.

Disable split tunneling if you want all traffic (Internet and internal) to go through the IPsec VPN tunnel.

The VPN Creation Wizard provides a summary of created objects.

2. Creating a security policy for remote access to the Internet

Go to Policy & Objects > IPv4 Policy and create a new policy that allows remote users to securely access the Internet.

Set Incoming Interface to the newly created tunnel interface and set Outgoing Interface to the Internet-facing interface.

Set Source to all, Destination Address to all, Schedule to always, and Service to ALL.

Enable NAT and select OK.

3. Results
On the Mac, go to System Preferences > Network and select the Plus (+) button.
Set Interface to VPN, set VPN Type to Cisco IPsec, and select Create.
Set Server Address to the IP address of the FortiGate, enter the network account details for the user, and open Authentication Settings.

Select the Shared Secret authentication and enter the same pre-shared key that was entered in the IPsec VPN Wizard, then select OK.

Be sure to Apply your network configuration.

In the Network window on the Mac, select the VPN and select Connect.

You should now be able to browse the Internet and have access to the internal network.

On the FortiGate, go to Monitor > IPsec Monitor and confirm that the tunnel Status is Up.

You must select Cisco Client because the native Mac OS client is a Cisco client. If you require an IPsec VPN created for Mac mobile devices (such as iPhones and iPads), select the iOS Native remote device type.

The post IPsec VPN with native Mac OS X client appeared first on Fortinet Cookbook.

IPsec VPN with iOS 9 (Video)

September 14, 2016, 7:17 am

WiFi using FortiAuthenticator RADIUS with Certificates

December 6, 2016, 5:15 pm
$
0
0

This recipe will walk you through the configuration of FortiAuthenticator as the RADIUS server for a FortiGate wireless controller. WPA2-Enterprise with 802.1X authentication can be used to authenticate wireless users with FortiAuthenticator. 802.1X utilizes the Extensible Authentication Protocol (EAP) to establish a secure tunnel between participants involved in an authentication exchange.

EAP-TLS is the most secure form of wireless authentication because it replaces the client username/password with a client certificate. Every end user, including the authentication server, that participates in EAP-TLS must possess at least two certificates: 1) a client certificate signed by the certificate authority (CA) and 2) a copy of the CA root certificate.

This recipe specifically focus on the configuration of the FortiAuthenticator, FortiGate and Windows 7 computer.

1. Creating a local CA on FortiAuthenticator

The FortiAuthenticator will act as the certificate authority for all certificates authenticated for client access. To enable this functionality, a self-signed root CA certificate must be generated.
On the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs. Click Create New. Complete the information in the fields pertaining to your organization.

2. Creating a local service certificate on FortiAuthenticator

In order for the FortiAuthenticator to use a certificate in mutual authentication (supported by EAP‐TLS), a local services certificate has to be created on behalf of the FortiAuthenticator.
Go to Certificate Management > End Entities > Local Services. Click Create New. Complete the information in the fields pertaining to your organization.

3. Configuring RADIUS EAP on FortiAuthenticator

In order for the FortiAuthenticator to present the newly created Local Services certificate as its authentication to the WiFi client, the RADIUS­‐EAP must be configured to use this certificate.
Go to Authentication > RADIUS Service > EAP. Click Create New. Select the corresponding Local Services certificate in the EAP Server Certificate section. Choose the Local CA certificate previous configured in the Local CAs section.

4. Configuring RADIUS client on FortiAuthenticator

The FortiAuthenticator has to be configured to allow RADIUS clients to make authorization requests to it.
Go to Authentication > RADIUS Service > Clients. Click Create New. Enter Name, then Client name IP which is the FortiGate’s IP address. Enter the Secret (password). On Authentication method select Password-only authentication and on Username input format select username@realm.
EAP-­‐TLS should be the only EAP type selected to prevent fallback to a less secure version of authentication if a certificate is not presented by the WiFi client.

5. Configuring local user on FortiAuthenticator

The authentication of the WiFi client will be tied to a user account on the FortiAuthenticator. In this scenario, a local user will be configured but remote users associated with LDAP can be configured as well.
Go to Authentication > User Management > Local Users. Click Create New. Fill out applicable user information.

6. Configuring local user certificate on FortiAuthenticator

The certificate created locally on the FortiAuthenticator will be associated with the local user. It is important to note that the Name (CN) must match the username exactly of the user that is registered in the FortiAuthenticator (i.e. eap‐user).
Go to Certificate Management > End Entities > Users. Click Create New. Fill out applicable user information to map the certificate to the correct user.

7. Creating RADIUS server on FortiGate

In order to proxy the authentication request from the wireless client, the FortiGate will need to have a RADIUS server to submit the authentication request to.
On the FortiGate, go to User & Device > RADIUS Servers. Select Create New. Type FortiAuth. Enter the FortiAuthenticator’s IP address and the Server Secret (password). Optionally, you can click Test Connectivity. Enter a RADIUS user’s ID and password. The result should be “Successful”.

8. Creating WiFi SSID on FortiGate

In order for the WiFi client to connect using its certificate a SSID has to be configured on the FortiGate to accept this type of authentication.
Go to WiFi & Switch Controller > SSID. Create an SSID and set up DHCP for clients.
Set WPA2-Enterprise with RADIUS Server authentication, and choose FortiAuth.

9. Exporting user certificate from FortiAuthenticator

In order for the WiFi client to authenticate with the RADIUS server, the
user certificate created in the FortiAuthenticator must first be exported.
On the FortiAuthenticator, go to Certificate Management > End Entities > Users. Click the checkbox beside the certificate. Click Export PKCS#12.
In the Export User Certificate and Key File type a password in Passphrase, and confirm it. This password will be used when importing the certificate into a Windows 7 computer. Click OK.
Click Download PKCS#12 file to pull this certificate to the Widows 7 computer. Click Finish.

9. Importing user certificate into Windows 7
On the Windows 7 computer, double-click the downloaded certificate file from the FortiAuthenticator. This will launch the Welcome to Certificate Import Wizard. Click Next.
Make sure the correct certificate is shown in the File Name section in the File to Import window. Click Next.
Below Password, type the password created on the FortiAuthenticator during the export of the certificate. Select Mark this key as exportable. Leave remaining defaults. Click Next.
In the Certificate Store, choose the Place all certificates in the following store. Click Browse and choose Personal. Click Next, and then Finish. A dialog box will show up confirming the certificate was imported successfully.

10. Configuring Windows 7 wireless profile to use certificate
Create a new wireless SSID for this secure connection, in this case EAP-TLS. On Windows 7, got to Control Panel > Network and Sharing Center > Manage Wireless Networks > Add. Select Security type: WPA2-Enterprise and Encryption type: AES.
Modify the newly created wireless connection EAP-TLS by right clicking and choosing Properties.
On EAP-TLS Wireless Network Properties, Under Choose a network authentication method select Microsoft: Smart card or other certificates. Then click on Settings.

On Smart Card or other Certificates Properties. Under When connecting, select Use a certificate on this computer, and check Use simple certificate selection. Click OK and click OK.

Please note, for simplification purposes, the Validate server certificate has been disabled but EAP-­‐TLS allows the client to validate the server as well as the server validate the client. To enable this, you will need to import the CA from the FortiAuthenticator to the Windows 7 computer and make sure that it is enabled as a Trusted Root Certification Authority.

The configuration for the Windows 7 computer has been completed and the user should be able to authenticate to WiFi via the certificate without using username and password.

11. Results on FortiAuthenticator
When the user attempts to authenticate to WiFi using the certificate, they will have a specific log entry in the FortiAuthenticator.

12. Results on FortiGate
The log on the FortiGate shows plenty of details, such as the client’s MAC address, IP address, SSID, Security Mode, Encryption, AP, Radio, Band and Channel

The post WiFi using FortiAuthenticator RADIUS with Certificates appeared first on Fortinet Cookbook.

FortiManager: Configure a Full Mesh VPN Topology within VPN Console

January 5, 2017, 10:11 am
$
0
0

This is an example on how to configure a simple full mesh VPN with:

  • Three FortiGate (FGT) devices
  • Pre-shared key for authentication
  • Auto-up tunnel setting
  • Static Routes

1. Add FortiGate Devices and Map all Interfaces

Go to Device Manager, and add three FortiGate devices, by clicking Add Device. Follow the wizard to add each device.

Go to Policy & Objects > Policy Packages and define Zone interfaces.

Go to Device Manager and select a device.

Go to System: Interface and map interfaces to the Zone interfaces.

  step-1

2. Create Firewall Address for Protected Subnets

Go to Policy & Objects > Object Configurations > Firewall Objects > Address to manage the firewall addresses.

VPN only supports firewall address with the type set to subnet (IP/Netmask). The firewall addresses will be used as protected subnets to generate static routes among the FortiGate devices.

  step-2

3. Create a VPN Community

Go to VPN Manager > VPN Community list > Create New.

Set the VPN topology type to Full Meshed.

  step-3a

Define the authentication method with a pre-shared key.

Specify encryption and hash methods.

  step-3b

After defining authentication methods and encryption properties, click Next.

Configure VPN Phase 1 and Phase 2 settings.

 step-3c

For the IPSec Phase 2 setting, set the tunnel to Auto-Negotiate.

Optionally, under Advanced Options > the IKE version must be set to two in order to use IPv6 over tunnels.

  step-3d

VPN configuration summary:

  step-3e

4. Add VPN Gateway

Go to VPN Manager > VPN Community.

In the content pane, from the Create New menu, select Managed Gateway.

Add a Protected Network. There can be more than one protected networks.

  step-4a

Select a Device.

 step-4b

Select a default VPN interface. The default VPN interface should have a valid IP and mapped.

 step-4c

Optionally, specify the local gateway. This option can be left blank in most cases.

 step-4d

Routing > select Automatic to generate static routes.
If Manual is selected, go to the Device Manager to set the IP on the relevant IPSec interfaces and define the routings manually.

 step-4e

VPN gateway configuration settings summary:

 step-4f

5. Create Firewall Policies

Go to Policy & Objects > Policy Packages to create policies among the default VPN zones and protected-subnet interfaces.

Use the Install-On option to restrict policies applied on specific FortiGate devices.

Do not forget to create policies for bi-directional traffic.

  step-5

For further FortiManager information, refer to the FortiManager Administration Guides available on the Fortinet Document Library.

The post FortiManager: Configure a Full Mesh VPN Topology within VPN Console appeared first on Fortinet Cookbook.

Guest WiFi Accounts (Video)

February 16, 2017, 8:50 am
$
0
0

In this video, you’ll learn how to setup accounts for guests to connect to your WiFi network for a limited amount of time. The accounts will allow guests to connect to your FortiGate’s WiFi network after authenticating using a captive portal.To make management easier, you’ll also create a separate administrative account for creating and managing guest accounts. In this example, a FortiAP in Tunnel mode is used to provide WiFi access to guests.

The recipe for this video is available here.

Watch more videos

The post Guest WiFi Accounts (Video) appeared first on Fortinet Cookbook.

Security fabric installation

March 30, 2017, 2:06 pm
$
0
0

In this example, you will configure a security fabric that consists of four FortiGates and a FortiAnalyzer. One of the FortiGates will be the root (or upstream) FortiGate in the Security Fabric, while the others function as Internal Segmentation Firewalls (ISFWs). OSPF routing will be used for communication between devices.

Once the Fabric has been configured, a Security Fabric Audit is run, to make any necessary improvements to the configuration.

In the example, the following FortiGate aliases/models are used:

  • External (root FortiGate): a FortiGate 600D
  • Accounting: a FortiGate 140D
  • Marketing: a FortiGate 90D
  • Sales: a FortiGate 51E

Find this recipe for other FortiOS versions
5.4 | 5.6

1. Configuring the External FortiGate

In the Security Fabric, the External FortiGate is the root, or upstream, FortiGate. All the ISFW FortiGates will link to External in order to connect to other devices in the fabric, as well as the Internet.

In this example, the following interfaces on the External FortiGate are used to connect to other network devices:

  • Port 9 connects to the Internet (this interface has already been configured)
  • Port 10 connects to Accounting (IP address: 192.168.10.2)
  • Port 11 connects to Marketing (IP address: 192.168.200.2)
  • Port 12 connects to Sales (IP address: 192.168.35.2)
  • Port 16 connects to the FortiAnalyzer (IP address: 192.168.55.2)

On External, go to Network > Interfaces and edit port 10.

Set an IP/Network Mask for the interface (in the example, 192.168.10.2).

  

Configure Administrative Access to allow FortiTelemetry, required for communication between FortiGates in the Security Fabric.

Configure other services as required.

Repeat this step to configure the other interfaces, setting the appropriate IP addresses.

Go to Policy & Objects > IPv4 Policy and create a policy for traffic from Accounting to the Internet.

Enable NAT.

  
Repeat this step to create similar policies for Marketing and Sales.
On the External FortiGate, go to System > Feature Select. Under Additional Features, select Multiple Interface Policies.  

Go to Policy & Objects > IPv4 Policy and create a policy allowing the ISFW FortiGates to access the FortiAnalyzer.

Do not enable NAT.

  
To enable Security Fabric and configure the connection to the FortiAnalyzer, go to

System > Security Fabric and enable Security Fabric. Set a Group Name and Password.

FortiAnalyzer logging is now enabled by default. Set IP Address to the FortiAnalyzer port 2’s IP (in the example, 192.168.55.10).

  
Select Test Connectivity. An error appears because the FortiGate is not authorized on the FortiAnalyzer.

2. Installing the Accounting FortiGate

On Accounting, go to Network > Interfaces and edit wan1.

Set an IP/Network Mask for the interface that is on the same subnet as the External FortiGate’s port 10 (in the example, 192.168.10.10).

Configure Administrative Access to allow FortiTelemetry.

  

Edit the lan interface.

Set Addressing Mode to Manual and set the IP/Netmask to a private IP address (in the example, 10.10.10.1).

Configure Administrative Access to allow FortiTelemetry.

If you require the FortiGate to provide IP addresses using DHCP to devices that connect to this interface, enable DHCP Server.

Under Networked Devices, enable Device Detection.

  

Go to Policy & Objects > IPv4 Policy and create a policy to allow users on the Accounting network to access the Internet.

Because OSPF routing will be used, make sure NAT is not enabled.

  

Go to System > Security Fabric to add Accounting to the fabric. Enable Security Fabric, then enter the Group name and Group password set previously.

Enable Connect to upstream FortiGate and enter the IP of External’s port 10.

FortiAnalyzer logging is enabled by default. Settings for the FortiAnalyzer will be retrieved when Accounting connects to External.

  

If you have not already done so, connect Accounting’s wan1 port to External’s port 10.

3. Installing the Marketing and Sales FortiGates
 

Connect and configure Marketing using the same method as Accounting. Make sure to include the following:

  • Configure wan1 to connect to the External FortiGate (example IP: 192.168.200.10)
  • Configure the lan interface for the Marketing network (example IP: 10.10.200.1)
  • Create a policy to allow users on the Marketing network to access the Internet
  • Add the FortiGate to the Security Fabric
   

Connect and configure Sales, making sure to include the following:

  • Configure wan1 to connect to the External FortiGate (example IP: 192.168.35.10)
  • Configure the lan interface for the Sales network (example IP: 10.10.35.1)
  • Create a policy to allow users on the Sales network to access the Internet
  • Add the FortiGate to the Security Fabric

4. Configuring OSPF routing between the FortiGates

On External, go to Network > OSPF. Set Router ID to 0.0.0.1 and select Apply.

Expand the Advanced Options and set Default Information to Always, to make sure the default route is broadcast from External to the ISFW FortiGates.

  

In Areas, select Create New. Set Area to 0.0.0.0, Type to Regular, and Authentication to None.

  

In Networks, select Create New. Set IP/Netmask to 192.168.10.0/255.255.255.0 (the subnet that includes Accounting’s wan1) and Area to 0.0.0.0.

Create three additional entries, using the following IP addresses:

  • 192.168.200.0/255.255.255.0 (Marketing)
  • 192.168.35.0/255.255.255.0 (Sales)
  • 192.168.55.0/255.255.255.0 (FortiAnalyzer)
  
On the Accounting FortiGate, configure OSPF routing as shown. The Router ID is incremental, with this FortiGate using 0.0.0.2. The Networks in this configuration are the subnet that includes Accounting’s wan1 and the subnet for the Accounting Network.   

Some FortiGate models, including the 90D and 51E used in this example, do not support configuring OSPF routing from the GUI. To add OSPF routing, use the following CLI command:

config router ospf
  set router-id 0.0.0.x
  config area
    edit 0.0.0.0
    next
  end
  config network
    edit 1
      set prefix x.x.x.0/255.255.255.0
    next
    edit 2
      set prefix x.x.x.0/255.255.255.0
    next
  end
end

5. Configuring the FortiAnalyzer
In order to use the FortiAnalyzer in the Security Fabric, make sure that the firmware is compatible the version of FortiOS on the FortiGates. To check for compatibility, please refer to the FortiAnalyzer Release Notes.
On the FortiAnalyzer, go to System Settings > Network, select All Interfaces, and edit port2. Set IP/Netmask to an internal IP (in the example, 192.168.55.10/255.255.255.0).
 		  
Select Network again. Port 2 is now shown as the management interface. Add a Default Gateway, using the IP address of the External FortiGate’s port 16.  

Go to Device Manager. The FortiGates are listed as Unregistered.

  

Select the FortiGates, then select +Add.

  
The FortiGates now appear as Registered.  
On External, go to System > Security Fabric. FortiAnalyzer Logging now shows Storage Usage information.  

6. Running a Security Fabric Audit

The Security Fabric Audit is used to analyze your Security Fabric deployment to identify potential vulnerabilities and highlight best practices. Using the Audit helps you tune your network’s configuration, deploy new hardware and/or software, and gain more visibility and control of your network.

Also, by checking your Security Score, which is determined based on how many checks your network passes/fails during the Audit, you can have confidence that your network is getting more secure over time.

The Security Fabric Audit must be run on the root FortiGate in the Security Fabric (in this example, External).

On External, go to Log & Report > Security Fabric Audit.

All the FortiGates in the Fabric are shown. Select Next.
 

At the top of the page, you can see your Security Score, as well as the overall count of how many checks were passed or failed, with the failed checks divided by severity.

Further down, information is shown about each failed check, including which FortiGate failed the check, the effect on your score, and the recommendation to fix the issue.

Some recommendations may be listed as Easy Apply. To apply these changes, select Next.

  

By using Easy Apply, you can change the configuration of any FortiGate in the fabric, not just the root FortiGate.

Select all the changes you wish to make, then select Apply Recommendations.

  

7. Results
On External, go to Dashboard > Main. The Security Fabric widget displays all devices in the fabric.  

Also located on the Dashboard is the Security Fabric Score widget, which displays your current score.

If either of these widgets do not appear on your dashboard, they can be added using the Options button in the bottom right corner.
 

Go to FortiView > Physical Topology. This page shows a visualization of all access layer devices in the Security Fabric.

Security Fabric Audit recommendations are also shown in the topology, by the icon for the device the recommendations apply to.
 

Go to FortiView > Logical Topology. This dashboard displays information about the interface (logical or physical) that each device in the CSF is connected to.

  

Go to Monitor > Routing Monitor. You will see both ISFW FortiGates listed, using OSPF routing.

  

8. (Optional) Adding security profiles to the fabric

A Security Fabric configurations allow you to distribute security functions to different FortiGates in the fabric. For example, you may want to implement virus scanning on the External FortiGate but add application control and web filtering to the ISFW FortiGates.

This results in distributed processing between the FortiGates in the Security Fabric; reducing the load on each one. It also allows you to customize the web filtering and application control for the specific needs of the Accounting network as other internal networks may have different application control and web filtering requirements.

This configuration may result in threats getting through the External FortiGate which means you should very closely limit access to the network connections between the FortiGates in the fabric.

On External, go to Policy & Objects > IPv4 Policy and edit the policy allowing traffic from Accounting to the Internet.

Under Security Profiles, enable AntiVirus and select the default profile.

Do the same for the policies allowing traffic from the Marketing and Sales to the Internet.

  
 

On Accounting, go to Policy & Objects > IPv4 Policy and edit the policy allowing traffic from the Accounting Network to the Internet.

Under Security Profiles, enable Web Filter and Application Control. Select the default profiles for both.

Do the same on Marketing and Sales.

  

 

 

 

This FortiGate has already been installed in NAT/Route mode. For more information, see Installing a FortiGate in NAT/Route mode.

The post Security fabric installation appeared first on Fortinet Cookbook.

Search

Configuring Hair-pinning on a FortiGate

April 3, 2017, 11:00 pm
$
0
0

Hair-pinning, also known as NAT loopback, is the technique where a machine accesses another machine on the LAN via an external network. The way it works, is that a packet travel through an internal interface and out towards the Internet. The packet then “hair-pins” back on the same interface, connecting to its external IP. It is then forwarded by the FortiGate through a virtual IP to the intended destination. 

As a convenience, if a VIP is being used simultaneously with hair-pinning, the same address can be used whether you are on the inside or the outside of the firewall. A VIP, also known as port forwarding, is set up to allow external users to access an internal server. The VIP will take traffic sent to a public IP address and forward it to an internal IP address, such as the server’s private IP.  

The following hair-pinning scenario uses the situation where the VIP is associated to “any” interface.

Scenario:

  • A company has a server on its internal LAN at IP address 192.168.1.98/24.
  • The Fully Qualified Domain Name for the website is test1.fortidoc.info, which resolves to 172.20.121.41.
  • SSH is running on the server and it will be used for testing purposes. The server listens for SSH traffic on port 22 but because there are multiple servers using SSH and only a few external IP address; port forwarding will be set up from port 12345.
  • Seeing as words are easier to remember than numbers, most people bookmark this connection rather than try to remember it. To avoid confusion, the IT department has been asked to make sure the same bookmark works whether the user’s computer is connected to the internal LAN or anywhere on the Internet.
  • As a test, the packets will try and connect to the server from an IP on the same subnet, 172.20.121.41.

Here is what you need to do to configure hair-pinning on your FortiGate:

1. Create a VIP

Before creating a policy for the hair-pinning, ensure that there is a policy managing traffic from the external to internal through the VIP.

Go to Policy & Objects > Virtual IPs > Create New > Virtual IP. Enter a name for the VIP in the name box.

Set Interface to any.

Enter the External IP Address/Range and the Mapped IP Address/Range.

Enable Port Forwarding and specify the External Service Port and the Map to Port.

Verifying the situation

In order to propose a solution, there must first be a problem. Let’s verify if there is an issue:

Testing the connection externally

You can try to connect to the external server via the external IP and VIP from a computer on the external side of the firewall.

The connection is successful.

  

Testing the connection internally

You can try to connect to the internal server via the external IP and VIP from a computer on the internal side of the firewall.

The connection is unsuccessful.

2. Create a policy

When creating a policy for hair-pinning, it is important to use the internal interface as the Incoming Interface even though the traffic will be hitting the external interface of the VIP. In this case, the Incoming Interface and Outgoing Interface will be the same interface.

Go to Policy & Objects > IPv4 Policy > Create New. Enter a name for the policy in the name box.

Use the settings displayed in the graphic to create the policy.

Ensure that NAT is disabled.

In the CLI, enable the match-vip setting.

3. Results

Testing the connection internally:

Try to make an SSH connection to the internal server from the internal side of the FortiGate.
Here you can see that the hair-pinning technique was successful.

The post Configuring Hair-pinning on a FortiGate appeared first on Fortinet Cookbook.

Redundant Internet with SD-WAN

April 6, 2017, 6:00 am
$
0
0

The following example demonstrates how to configure redundant Internet using the new SD-WAN feature in FortiOS 5.6. 

The goal of SD-WAN is to seamlessly manage traffic at the Layer 2 level of the OSI model without the need to manage hardware-based switches or WAN controllers.

The example includes volume-based weighted load balancing so that 75% of your Internet traffic is handled by the ISP connected to WAN1, with the remaining 25% handled by the ISP connected to WAN2.

This configuration also means that in the event of a failure connecting to one ISP, all traffic will divert to the other WAN interface (this is commonly referred to as ‘failover’).

1. Connecting your ISPs to the FortiGate

Connect your ISP devices to your FortiGate so that the ISP you wish to use for most traffic is connected to WAN1 and the other connects to WAN2.

2. Modifying existing policies

You will not be able to add any interface to the SD-WAN interface that is already used in the FortiGate’s configuration. So, in this scenario, you must delete any security policies that use either WAN1 or WAN2, such as the default Internet access policy. Traffic will not be able to reach WAN1 or WAN2 through the FortiGate after you delete the existing policies.

It is also advisable to check for any other references to WAN1 or WAN2 and make the necessary modifications.

If you have many policies that reference WAN1 and/or WAN2, a simple method is to redirect those policies to unused ports, rather than delete them, to avoid having to recreate each policy from scratch. Obviously, you should redirect those same policies back to the SD-WAN interface once it is created.

Go to Policy & Objects > IPv4 Policy and delete any policies that use WAN1 or WAN2.

3. Creating the SD-WAN interface

Go to Network > SD-WAN.

Set the Interface State to Enable.

Under SD-WAN, add the two WAN interfaces.

Under Load Balancing Algorithm, select Volume and prioritize the WAN1 interface to serve more traffic.

In the example, the ISP connected to WAN1 is a 40Mb link, and the ISP connected to WAN2 is a 10Mb link, so we balanced the weight 75% to 25% in favor of WAN1.

To help visualize the effectiveness of the algorithm selected, the WAN Links Usage graph shows you the Bandwidth and Volume usage.

4. Configuring SD-WAN Status Check

You can optionally configure SD-WAN Status Check to verify the health and status of the links that make up the virtual WAN link.

This configuration uses the Ping protocol to verify the status of the SD-WAN.

Go to Network > SD-WAN Status Check and (if you wish to use Google) enter the values shown here.

5. Allowing traffic from the internal network to the SD-WAN interface

Go to Policy & Objects > IPv4 and create a new policy.

Set Incoming Interface to your internal network’s interface and set Outgoing Interface to the SD-WAN interface.

Enable NAT and apply Security Profiles as required.

Enable Log Allowed Traffic for All Sessions to allow you to verify the results later.

At this point, you should recover any policies that may have been redirected or deleted in Step 2 and point them to the SD-WAN interface.

6. Results

Browse the Internet using a computer on the internal network and then go to Network > SD-WAN > SD-WAN Usage.

You can see the bandwidth and volume of traffic traversing the SD-WAN interfaces.

Verify that Status Check is working by viewing the table at Network > SD-WAN > SD-WAN Status Check.

Go to Monitor > SD-WAN Monitor to view the number of sessions for each interface, bit rate, and more.

7. Testing failover

To test failover of the redundant Internet configuration, you must simulate a failed Internet connection to one of the ports. Do so by physically disconnecting the Ethernet cable connected to WAN1.

Verify that users still have Internet access by navigating to Monitor > SD-WAN Monitor. Note the Upload/Download of each WAN interface.

Furthermore, go to Network > SD-WAN > SD-WAN Usage to see that bandwidth and volume have diverted entirely through WAN2.

Users on the internal network should have no knowledge of the WAN1 failure. Likewise, if you are using the WAN1 gateway IP to connect to the admin dashboard, nothing should change from your perspective. It will appear as though you are still connecting through WAN1.

Reconnect the WAN1 Ethernet cable when you have verified successful failover.

  • Was this helpful?
  • Yes   No

You can use any stable server that responds to ICMP requests, such as the ISP’s gateway. We recommend something with the fewest hops.

The post Redundant Internet with SD-WAN appeared first on Fortinet Cookbook.

Setup of FortiAnalyzer in AWS

May 8, 2017, 7:06 am

Protected: SAML FSSO with FortiAuthenticator and Okta

February 17, 2016, 8:23 am

Decrypting ESP payloads using Wireshark

July 21, 2017, 9:00 am
$
0
0

This recipe describes how to decrypt Encapsulated Security Payload (ESP) traffic on a FortiGate using the Security Association (SA) information from diag vpn tunnel list. This is useful for tracking whether the FortiGate is properly encrypting/decrypting IPsec VPN packets, and whether there is any packet loss.

This recipe assumes that NPU offloading is disabled on phase1-interface and that NAT is disabled. The example simulates a lost packet in a site-to-site IPsec VPN tunnel.

PREP 10 mins      COOK 5 mins      TOTAL 15 mins

1. Establishing the tunnel

If the tunnel is currently down, go to Monitor > IPsec Monitor, right-click the tunnel, and select Bring Up.

2. Capturing packets

Go to Network > Packet Capture and create a new entry.

Set Interface to the external-facing interface (in this case, wan1).

Select Enable Filters and enter Protocol 50 (the protocol number for ESP).

 

In the Packet Capture list, highlight the new entry and select Start/Resume Capturing to begin capturing packets for the next step.

Ping through the tunnel to populate the packet capture with traffic.

For example, in Windows Command Prompt, enter: ping x.x.x.x -n 100, where x.x.x.x is the remote tunnel endpoint (-n 100 will ping 100 times).

In the Packet Capture list on the FortiGate, select the Download option to save the .pcap file to your computer once the packets have been captured.

3. Configuring Wireshark
In Wireshark, open the .pcap file saved previously. 

Go to Edit > Preferences and navigate to Protocol > ESP.

Check all BUT Attempt to detect/decode NULL encrypted ESP payloads.

Select Edit… to open the ESP SAs configuration table. 

On the FortiGate, open the CLI Console and enter the command diag vpn tunnel list.

Make note of the information next to dec: and enc:. You will need the SPI information, as well as the ESP and AH keys for both the remote and local FortiGates.

In Wireshark’s ESP SAs configuration table, add a new entry for each direction of the tunnel.

Note the image in the example:

  • Src IP and Dest IP refer to the gateway addresses.
  • The SPI information in the diag output will help you determine which encryption and authentication keys to use for each direction.
  • Note that 0x must be prepended to the SPI entries as well as each of the Encyrption and Authentication Keys.

Click OK when you are done.

4. Results
In this example, a missing packet is identified in the packet capture by the ICMP error “No response seen to ICMP request“.
Shown here is a packet capture without any errors.

 

All times listed are approximations.

The post Decrypting ESP payloads using Wireshark appeared first on Fortinet Cookbook.

Viewing all 61 articles
Browse latest View live
Search